Abstract:
Big ‘R’ Risk Management is also known as the Modern Approach to Operational Risk. It’s a very different approach to probabilistic risk analysis. Instead of trying to quantify the risk of individual threat + vulnerability + consequence combinations, the focus is on quantitative estimation of the factors that drive aggregate risk at a business unit or enterprise level. While it’s been described in concept, there isn’t much information on implementation.

As introduction, the presentation will start with an overview of the Modern Approach and the generic steps in the analysis and decision-making. The rest of the presentation will be a walkthrough of one or two illustrative cases to show how it would be implemented in practice, especially in a pilot or a proof-of-concept.

The main takeaway will better understanding of the viability of the Modern Approach and practical guidance on how to get started on it via a pilot implementation.

Sunday, September 22, 2013

People blog for a lot of reasons and in many styles. Except for occasional posts like this one, I rarely write short posts. No doubt, some potential readers will find this to be a big turnoff. I'm fine with that. I know who I aim to serve and who I don't. This blog isn't for people who have short attention spans or who only want bit-sized "nuggets".

In addition to writing to serve readers, I also write for my own purposes. I've discovered that blogging works best when it serves as a way to rapidly prototype ideas and methods that might later become academic papers, industry presentations, book chapters, books, software models, and such. These final products take a lot of time and effort to produce in final form. Blogging gives me the opportunity to get started on them, focusing on just a few ideas at a time and without the need to have everything worked out. Plus I get to see how people react, either through page views, social media comments, blog comments, or private email.

Tuesday, September 17, 2013

I'm presenting tomorrow at the EnergySec Summit in Denver, 2:15 to 2:50pm. If you are attending, come and say "hi". Since it's such a tight time slot, the pace of presentation will be pretty fast. Therefore you might want to preview my presentation in advance or have it open while I'm presenting:

This is the Ten Dimensions of Cyber Security Performance but I'm using a different presentation approach than in the blog posts or my Bsides-LA presentation. As a dramatic device, I'm using a "movie plot" to help the audience imagine how the Ten Dimensions would make a difference once they are implemented.

As you might already know, I won Bruce Schneier's Sixth Annual Movie Plot Threat contest. This movie plot was constructed using a similar approach and methods. My main goal was to stretch the imagination of the audience by emphasizing a threat and attack scenario that isn't often considered, but yet is very plausible -- namely business partners as threat agents. I also wanted a scenario that was not a typical attack with typical consequences, but yet was serious at a system level.

[Edit: shout out to Andy Bochman who just wrote this post on the value of a compelling story to boost awareness and understanding. Great minds think alike!]

As the 2017 heat wave extended into it’s third week, "Monkey’s Uncle" had netted
Gold Man Hacks almost $300 million in bonus payments, with no end in sight.

If any of the microgrid operators had noticed their anomalous wholesale transactions
and was sufficiently capable to do a proper investigation…

Thursday, September 12, 2013

That's a frog on the handle. It was in the pot
but jumped out when things got too hot.

I'm one frog that has noticed that the water in the Facebook pot is getting too hot for comfort. I'm jumping out.

I'm leaving Facebook this week -- permanently. I'm tired of the creeping encroachments on my privacy. Also I'm no longer willing to be a part of Facebook's quest to commercialize and make public all of our social relations and interactions.

The most recent privacy policy changes are the proximate cause (see this, this, this and this). Though protest and government scrutiny have prompted Facebook to delay implementation, the trend is clear.

If you drop a frog in a pot of boiling water, it will of course frantically try to clamber out. But if you place it gently in a pot of tepid water and turn the heat on low, it will float there quite placidly. As the water gradually heats up, the frog will sink into a tranquil stupor, exactly like one of us in a hot bath, and before long, with a smile on its face, it will unresistingly allow itself to be boiled to death.

I'm not against businesses making money through advertising in their "free" services. It's just the way Facebook is doing it that deeply bothers me.

Privacy isn't just "not disclosing private information". It's also about people keeping control of their private information, where and how it is used, and by whom. Facebook's latest changes are forcing users like me to give away vital elements of control, in my opinion.

Finally, I don't trust them to keep to the spirit of privacy. Facebook's definition of privacy is like Bill Clinton's definition of "sexual relations" -- an unreasonably narrow definition whose rhetorical aim is to dissemble. At best, I believe Facebook will continue to keep to the letter of their constantly shifting privacy policy and user agreement, all the while constantly finding ways to subtly erode our privacy. At worst -- well, obviously very bad things would happen. But I'm acting on the assumption of the best case, not the worst.

Langner's views have persuaded some people and received attention in the media. He gained some fame in the course of the investigation of the Stuxnet worm capabilities to exploit Siemens PLCs (programmable logic controllers). Specifically, Ralph was the first to assert that Stuxnet worm is a precision weapon aimed at sabotaging Iran's nuclear program. Langner also gains institutional credibility as a Nonresident Fellow at the Brookings Institute, who published the "Bound to Fail..." paper. I'm guessing that Brookings PR department has been helping to get press attention for Langner's blog post critiquing NIST CSF and his proposed alternative: RIPE. They were reported in seven on-line publications last week alone: here, here, here, here, here, here, and here. (Note to self: get a publicist.)

In this long post, I'm going to critique Mr. Langner's critique of risk management, pointing to a few places where I agree with him, but I will present counter-arguments to his arguments that risk management is fundamentally flawed.

TL;DR version: There's plenty of innovation potential in the modern approach to risk management that Langner hasn't considered or doesn't know about. Therefore, "bound to fail" is false. Instead, things are just now getting interesting. Invest more, not less.

In the next post, I'll critique Mr. Langner's proposed alternative for an industrial control system security framework, which he dubs "Robust ICS Planning and Evaluation" (RIPE).

Friday, September 6, 2013

I wish I could write a more favorable review of the latest NIST Cyber Security Framework (CSF) draft. I'm in favor of frameworks that might help us break out of the current malaise in cyber security. I'm not anti-government or anti-regulation, either. But my review isn't favorable because I don't think NIST CSF will promote the type of change necessary to make a meaningful difference. It's not about the details but mostly about the overall structure and strategy behind it, as I describe below.

CSF advances the ball, but not enough to matter,
especially considering the effort.

The title of this blog post refers to the offensive strategy of Ohio State football coach Woody Hayes. He had success for nearly 30 years with a very conservative, grind-it-out ground-based offense that centered on running plays between the Tackles. His teams often threw fewer than 10 passes a game. Since a team needs 10 yards every 4 plays to hold on to the ball, if you could guarantee 3 yards per play you could hold on to the ball for a long time and eventually grind it in for a score. This also worked in part it minimized turnovers. It was predictable and not very imaginative, but succeeded through sheer mass, strength, effort, and persistence.

This may have worked for Woody at Ohio State, but it's a poor model for progress in cyber security. The "pace of the game" is governed by the clock speed of innovation on the part of threat agents, not by us defenders. Plus, most organizations aren't sitting at "3rd down and 3 yds to go" -- more like "3rd down and 33 yds to go". "Three yards and a cloud of dust" is ultimately a failing strategy because it leaves us perpetually behind the minimum threshold of acceptable performance.